Is your compliance program strong enough?
My thanks to Maurice Gilbert, who shared news about guidance from the US Department of Justice (DOJ). It describes how investigators will assess an organization’s compliance program as part of an investigation into that company.
The DOJ Guidance, Evaluation of Corporate Compliance Programs, should be read and considered by all governance, compliance, risk, and audit practitioners.
Every organization should address every one of the Topics and underlying questions in the document.
Aspects I like include:
- A focus on not just the tone but the conduct at the top
- The stature, autonomy, empowerment, and funding of the compliance function
- An assessment of the risk management activity, although the questions are a bit shallow
- The independence and performance of investigations by the organization
- Whether managers as well as employees are held accountable, and who participated in disciplinary decisions and actions
- The role of internal audit
- The consideration of how the actions of third parties, for example in outsourced operations or by agents, could affect compliance
- Whether there is sufficient due diligence around compliance during M&A
While it would be easy to leave the assessment of compliance activities to internal audit, and I believe this is an area they should actively consider, senior management should take ownership of the need for an effective compliance program.
How does your organization stack up?
Would it pass an evaluation using this guidance?
Shouldn’t the board insist on a periodic assessment by executive management?
I welcome your comments.